Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT 1
The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 2
AGENDA • What is a Disaster? • Disaster Recovery vs. Business Continuity • Drivers for Having a Disaster Recovery Plan • How Do You Get Started? • Disaster Recovery Plan Structure • Key Considerations • Testing the Disaster Recovery Plan • Resources • Questions? 3
DISASTERS Sudden, calamitous event that brings great damage, loss or destruction. ( Source: Merriam-Webster dictionary ) Natural Man-Made Technological • Earthquake • Riots • Database corruption • Flood • War • Hacking • Hurricane • Terrorism • Viruses • Drought • Power outages • Internet worms • Twister • Sprinkler system bursts • Tsunami • Equipment sabotage • Cold/Heat wave • Arson • Thunderstorm • Epidemic • Mudslide • Pollution • Transportation accident • Food poisoning 4
“DISASTERS” COME IN ALL SIZES Large Small 5
OBJECTIVES OF DISASTER RECOVERY VS. BUSINESS CONTINUITY • Disaster Recovery – Successfully recover IT systems in the shortest timeframe possible • Business Continuity – Continue critical business functions in the absence of key resources (considering customers, suppliers, regulators, and others) 6
DRIVERS FOR HAVING A DISASTER RECOVERY PLAN • High availability of data is required by your industry • Regulatory requirements o Federal Emergency Management o Government Contractor • Contractual obligation with a business partner • Makes good business sense! 7
HOW DO YOU GET STARTED? • Conduct a Risk Assessment • Identify critical data • Conduct a Business Impact Analysis (BIA) • Create a data backup process • Determine resources needed during a recovery effort 8
CONDUCT A RISK ASSESSMENT Consider the risks to your organization and the probability of each happening: Natural Man-Made Technological • Earthquake • Riots • Database corruption • Flood • War • Hacking • Hurricane • Terrorism • Viruses • Drought • Power outages • Internet worms • Twister • Sprinkler system bursts • Tsunami • Equipment sabotage • Cold/Heat Wave • Arson • Thunderstorm • Epidemic • Mudslide • Pollution • Transportation Accident • Food Poisoning 9
COMMON PLANNING PITFALL • You do not need to develop individual contingencies for each type of risk/disaster. • Focus on the absence of key resources, such as (but not limited to) data, regardless of the reason. (for this presentation, we will focus on data) 10
IDENTIFY CRITICAL DATA (RESOURCES) Evaluate processes with owners, identifying how/where critical data is input from, processed, stored, and exported to: What type (s) of data is required? What type(s) are key / critical? When, how, and where is data input from? Who owns that data? What processing happens with that data? Where is the data stored (e.g., systems involved, storage area networks, other media)? When, where, and how is data exported? 11
BUSINESS IMPACT ANALYSIS (BIA) • Identifies business units, operations, and processes essential to the survival of the business. • Considerations: Life or death situation Potential for significant loss of revenue Obligations to external parties may be jeopardized Quantify impacts where possible • Determine: RTO – Recovery time objective RPO – Recovery point objective Critical for determining the order and priority of system recovery 12
DATA BACKUPS • Questions to ask: Is your data backed up? How often? Where? (network storage, tape media, offsite/onsite) How is it stored and is it adequately secured? Is the restoration process tested? Regularly? How often? • Work with IT staff to identify the critical resources required to recreate the data (includes hardware, database software, operating system, application configuration data, backed-up data, etc.) 13
IDENTIFY RESOURCES REQUIRED FOR RECOVERY EFFORT Alternate recovery site (co-location facilities, hotel meeting rooms, • executive suites, etc.) o Hot / Warm / Cold? Server equipment (virtualized or physical, type/model, hardware • configuration, storage equipment) o How quickly can equipment be purchased and acquired? Software including operating system type, database environment, • application, and configuration settings. Backup management software • Backup media equipment (backup equipment – LTOs, SDLT, DDS) • Backup media • Connectivity (Internet, VPNs/links to partners, extranets) • Critical IT staff (System Administrators, Database Administrators) • 14
CLOUD CONSIDERATIONS Your Network Cloud Provider Organization (SaaS, PaaS, IaaS) Network Cloud Provider (SaaS, PaaS, IaaS) 15
CLOUD SERVICE CONSIDERATIONS Your Cloud Service Data Center Organization Provider Provider Tier 1 Outsourced Support Software Development 16
CLOUD MANAGEMENT CONSIDERATIONS • Understand the vendor’s environment • Understand the vendor’s disaster recovery / business continuity plan o DR is often separate from service level agreements (e.g., 99.999% uptime) in many agreements, which often have disaster / force majeure (‘acts of God’) exceptions. Understand what guarantees they provide in DRP/BCP situations. o Obtain and review a Service Organization Controls (SOC) report • Ensure there is an audit clause in your agreement 17
DISASTER RECOVERY PLAN STRUCTURE • Assumptions (communications infrastructure in place, primary location still available, primary IT staff available) • Roles and Responsibilities • Declaration of a Disaster • Equipment Salvage (procurement) • System Recovery Process (alternate site) • Resumption at Primary Site • Declare End of Disaster (debrief) 18
CONSIDERATIONS Key staff (and/or vendors) may or may not be available during the • recovery effort o Plan for Primary, Secondary, Tertiary, others o Ensure adequate decision-making and spending authority in advance • Communications and infrastructure for the region may/may not be functioning • Escalation plan and related timelines Recovery procedures should provide enough detailed so that • alternate resources can follow if needed Recover all vs. subset of the required systems to meet critical (not • all) business processes There will be performance degradation • Functionality may be limited • 19
ROLES AND RESPONSIBILITIES The Disaster Recovery Team includes… Disaster Recovery • C-level individual or manager who directs the teams and Coordinator serves as the leader of the recovery efforts • C-level manager, legal counsel or similar spokesperson Media/Communications who ensures a consistent message is communicated to Representative the media • IT and business unit staff who assess the equipment to Salvage Team determine if damage is minimal or extensive, and if new equipment needs to be procured • IT team responsible for system rebuilding and data Recovery Team restoration • The secondary individuals who can assume the role of Backup Support Staff the primary who may not be available 20
DECLARATION OF A DISASTER • Criteria for invoking the disaster recovery plan Severe disruption to service Potential for major data loss Data security may have been compromised • Initiating the call tree process Disaster Recovery Coordinator starts the notification and activates the other teams involved in the recovery effort Business unit managers responsible for notifying their teams 21
GET THE WORD OUT! • Key Stakeholders: • Communication Channels: o Customers o Intranet o Employees o Externally-hosted website (consider mobile) o Suppliers o Phone o Insurance providers o Automated phone service o Civic agencies (e.g., (call-out, dial-in, or both) Police, Fire, National Guard) o Print media o Local media o Mail o Bulletin board 22
DISASTER RECOVERY ACTIVITIES - EQUIPMENT SALVAGE • Primary site may be available, but access is restricted due to danger • Survey damage to assets for insurance purposes • Determine if anything can be saved or serviced by the vendor immediately • Device/Server support agreements need to be leveraged • Test potentially damaged systems before relying on them for recovery operations • Initiate emergency procurement process for immediate hardware, software, and appliance needs 23
Recommend
More recommend